[TELFORT] Officiele waarschuwing onveilige proxy 82.171.62.187

Lol? K i did slip up today, i opened a spam message on a forum n pressed the link it took me took a blank page but what the hell kind of a threat is an open proxy



ISP email:

Naar aanleiding van klachten hebben wij moeten constateren dat er op uw computer/internetverbinding een onveilige open proxy is ontstaan. Een open proxy is een vrij ernstig beveiligingsprobleem welke zodra aanwezig ook op flinke schaal wordt misbruikt voor niet toegestane activiteiten. Kortweg gezegd komt het er op neer dat andere mensen (kwaadwillenden) in staat zijn om via het internet uw computer te benaderen, en te misbruiken voor onder andere het versturen van grote hoeveelheden ongewenste e-mail (spam). Wij gaan er natuurlijk vanuit dat er geen sprake is van opzet aan uw kant, maar het is uiteraard wel zaak om verdere overlast voor andere internetgebruikers te voorkomen.

De meest voorkomende oorzaak van dit probleem is een bot die zich genesteld heeft in het besturingssysteem van uw computer. Deze bot zal van tijd tot tijd enorme hoeveelheden spam verzenden. Doordat de bot zijn eigen mailprogramma aan boord heeft, ziet u hiervan niets terug in uw postvak uit of verzonden items van uw mailprogramma. Doordat een bot geen virus is, zal een virusscanner ook niets vinden. Doordat er veel kennis benodigd is om een gecompliceerd probleem als dit op te lossen, raden wij u aan het systeem te formatteren, zodat u zeker van het probleem af bent. Vervolgens is het belangrijk te zorgen dat uw nieuw geïnstalleerde besturingssysteem wordt voorzien van alle windows-updates en servicepacks. Tevens raden wij u aan een goede virusscanner en anti-spyware programma?s te installeren en een goede rootkit scanner.



http://www.telfort.nl/klantenservice

E-mail: abuse@telfort.nl

 

For those of us who don't sprechen sie Dutch.

 

K am doin a manual scan with SAS n indeed it has found so far: Rootkit.Dropper/BotNet, 4 Detected Items

Now how come my active programs didnt detect squat and my isp did? btw very dissapointed!

 

I have posted the following on the forum where i received this:

he following poster(a4SXjoc) has send me yesterday the following message(No a bit of joke, but this rocks) containing a link wich will lead to a blank page and will drop a Rootkit.Bot.

I clicked the link because i figured wth with all my advanced security in place yet active protection of FW,HIPS n AS didnt pick up any activity whatsoever. I did find the blank page to be suspicious mainly because i didnt lead me ot anywhere so i did think of the possibility to have received malware without any clicking needed.

Today my suspiciousness was confirmed when my ISP contacted me at several of my emailaccounts containing a rather large formal letter warning me about having a proxy open due to a Bot(large spam sended with builtin mail using rootkit evading techniques), according to them Av's do not pick up this kinda threat.

Ok i can solve my own problem by either cleaning up all threats or a format but i have made this post because it is highly likely that more members on this forum have received such kind of a message and if you did then take direct action(either format or cleanup)

Im in the middle of a scan with SUPERAntiSpyware right now, i have the Pro version. The active protection didnt do jack but the ondermand scan does pick up malware so for example you could use that.

So to the moderators i would like you to keep an eye out on ppl who sign up yet never leave a post like this malware spreader did.

 

SAS:

Detected Item Description and Information

Listed below is basic information about the detected application/process. This application may not be safe to have on your system.

Summary : Rootkit.Dropper/BotNet.Process

Company : Unknown

Description : Rootkit.Dropper/BotNet.Process

Threat Level (1-10) : 5

Processes : *
BN4.TMP

CLSID List :

 

After quarantining n rebooting, i ran a default Edge scan and it detected 3 additional threats, 2 of em High Risk Cloaked Malware(maybe rootkits?) and 1 medium risk

Y have these tools detected these threats during ondemand but didnt protect me in realtime?

 

So, Prevx Edge doesn't detect this rootkit?

 

SAS n Edge detect these threats ondemand only.

I have cleaned this items with Edge followed the Px procedure (disable other security,internet connection) before cleanup, cleaned up - rebooted, Edge does an auto scan then and yet another 3 items but different file names. My guess is they respawned so this malware is pretty advanced

 

Hmmm wanted to clean up the new items and now they show up as cleaned yet they r detected as threats Also got a message from Windows saying Hostproces for Windows-services dont work no mo n is closed

 

Ok status infected, review items from tray icon triggers a scan

 

Jesus picked up another high cloaked malware well im off to another cleanup then

 

KK Edge is green now, will send Joe a final scan report. Took me too many cleanups, reboots, etc. though to clean a few items - supposedly this had been fixed long ago?

 

So who wants the link that drops this nasty, pm me

 

Hello,
No security solution protects against 100% of threats. The malware authors have copies of the security products as well as the users so its always possible for them to engineer around any defense (even whitelisting/anti-executable approaches by breaking the hash algorithm behind the protection).

Edge requiring multiple cleanups was probably the result of infections re-downloading other components during the cleanup process. It sometimes will take a few loops around if infections are extremely persistent, but it does look like your system is secure now

Please let me know if you run into anything else. Your ISP has a unique position as they're able to analyze the real traffic coming from your system, something software physically cannot do. I am surprised that they were able to find this, however, as I've never actually heard of an ISP reporting an infection But either way, it does look like it is resolved now

 

But this doesnt awnser y the active protection wasnt as usefull as ondemand.

N yes im sticking with this ISP

Just finished a full scan with MBAM wich found 2 more adittional items

 

Not sure why they weren't found tbh, however, what did MBAM find?

 

Dont know if these are false positives:

Malwarebytes' Anti-Malware 1.34
Database versie: 1863
Windows 6.0.6001 Service Pack 1

18-3-2009 6:06:54
mbam-log-2009-03-18 (18-06-32).txt

Scan type: Volledige Scan (C:\|D:\|E:\|)
Objecten gescand: 174250
Verstreken tijd: 13 minute(s), 45 second(s)

Geheugenprocessen geïnfecteerd: 0
Geheugenmodulen geïnfecteerd: 0
Registersleutels geïnfecteerd: 1
Registerwaarden geïnfecteerd: 0
Registerdata bestanden geïnfecteerd: 0
Mappen geïnfecteerd: 0
Bestanden geïnfecteerd: 1

Geheugenprocessen geïnfecteerd:
(Geen kwaadaardige items gevonden)

Geheugenmodulen geïnfecteerd:
(Geen kwaadaardige items gevonden)

Registersleutels geïnfecteerd:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ICF (Rootkit.Agent) -> No action taken.

Registerwaarden geïnfecteerd:
(Geen kwaadaardige items gevonden)

Registerdata bestanden geïnfecteerd:
(Geen kwaadaardige items gevonden)

Mappen geïnfecteerd:
(Geen kwaadaardige items gevonden)

Bestanden geïnfecteerd:
C:\Windows\System32\icf.exe.exe (Worm.Zhelatin) -> No action taken.

 

whats tbh

 

How is it supposed redownload stuff when ive pulled the plug on the net during cleanup as ordered by Edge's cleanup proces?

Joe with all due respect, im not looking for pr damage control but for real awnsers n a prob. looking into how this can be prevented

 

"tbh" is "to be honest"

However, the MBAM reported "infections" look like a FP - that is just the empty registry key which was left over for some reason.

Edge did actually remove the malicious component of it:

[BP] c:\windows\syswow64\icf.exe.exe:ext.exe [PX5: 9F8DEC3B00E661F1802600AE539FC2009AF0B46D] Malware Group: Medium Risk Malware

 

It could have downloaded it between when the scan finished and when you pulled the plug - its very hard to say. It could also have dropped further infections from the running infections.

I'm not sure why it wasn't stopped, but nothing is 100% and we can't possibly hope to be 100%. You were using a multi-layered approach and it still wasn't 100%, which proves that nothing is perfect. Not sure what else I can say about it but simply that we will work on improving protection for similar threats in the future. It is a bit odd that the infections were found on-demand and not on-access, but it may be because of SAS blocking Edge from reading the other files - its hard to say really.

 

Is it coming back still?
Is the cleanup successfull?
Real machine or VM session?

If real machine you can use a hex editor from alternate boot medium to check the drive if your still having issues. Verify partitions, check end of drive, look for multiple MBRs.

 

Nono, real machine and all seems good now - thank you though i will have to change my security setup for obvious reasons